Macromedia Studio MX File Permission Setting Lets Local Users Modify a File to Gain Elevated Privileges
SecurityTracker Alert ID: 1009416|
SecurityTracker URL: http://securitytracker.com/id/1009416
(Links to External Site)
Date: Mar 12 2004
Modification of system information, Root access via local system, User access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): Macromedia MX 2004|
A vulnerability was reported in Apple Mac OS X versions of the Macromedia installers (including Macromedia Studio MX) in the e-licensing client. A local user can obtain elevated privileges on the target system.|
Macromedia reported that the software installs the 'AuthenticationService' file with permissions that allow local users to write to the file and also with set user id (setuid) privileges. The report indicates that if a user without administrative privileges modifies the file, the operating system will remove the setuid setting. However, a local user can reportedly modify the file and then cause a target user to execute the service directly (and not through a Macromedia product) to execute arbitrary code with the privileges of the target user.
According to the vendor, the current versions of all Macromedia products will detect that the file has been changed and refuse to execute the modified file.
The vendor credits Chris Irvine of Dark Horse Comics, Inc. with reporting this vulnerability.
A local user can modify a file to contain arbitrary code and then cause a target user to execute the modified file, giving the local user elevated privileges on the system.|
The vendor has released a patch, available at:|
As a workaround, a user with an admin account and password can manually change permissions on the file to resolve this problem. The vendor has provided the following instructions [quoted]:
"Activate a Terminal session and type in the following command.
sudo chmod 4775 "/Library/Application Support/Macrovision/AuthenticationService"
Enter your admin user password at the prompt and then the command will run and set the permissions on the file."
Vendor URL: www.macromedia.com/software/mx2004/ (Links to External Site)
Access control error, Configuration error|
|Underlying OS: UNIX (macOS/OS X)|
|Underlying OS Comments: Mac OS X|
Source Message Contents
Subject: Security Patch Available for Installer "Privilege Escalation"|
Potential Security Risk with Macromedia E-Licensing Client
Macintosh versions of the Macromedia installers and
e-licensing client install a service whose file permissions
allow "other" users to write to the file. This may allow one
local user to obtain the permissions of another local user
(including an admin user). This leads to a threat typically
This potential vulnerability affects only products installed
on machines with multiple users. Further, it does not appear
to be a threat under typical installation of Macromedia
products where the computer's only user is already considered
A patch can be downloaded from the Macromedia website to
protect users of current versions of Macromedia products:
Alternatively, a work-around is described in the "Making
the Changes" section of this bulletin.
Affected Software Versions:
All supported Macintosh versions of Macromedia MX 2004
products as well as Contribute 2 may be affected.
Macromedia categorizes this issue as a Moderate update
(see http://www.macromedia.com/go/DMJL_AABA) and recommends
that administrators of systems supporting multiple users
apply the patch located at:
Macintosh OS X versions of the Macromedia installers and
e-licensing client install the 'AuthenticationService'
as an SUID service whose file permissions allow "other"
users to write to the file. By default, these permissions
allow the code in the service to be changed by any local
user. In the event of modification by any non-admin user,
the operating system removes the SUID property.
The current behavior of Macromedia products using this
service mitigates all known attack vectors. All current
Macromedia products detect the file change, refuse to
execute the modified service, and reinstall the original,
unmodified binary. Therefore, a successful exploitation
requires the attacker to cause another user to execute
the service independent of any Macromedia product.
If the AuthenticationService file is manually deleted, a
reapplication of the patch may be required.
Making the Changes:
With an admin account and password, permissions on the
file can be manually changed to resolve this problem.
Activate a Terminal session and type in the following
sudo chmod 4775 "/Library/Application Support/Macrovision/
Enter your admin user password at the prompt and then
the command will run and set the permissions on the file.
NOTE: Back up your existing files before making changes.
As always, test the changes in a nonproduction environment
before applying the changes to production servers.
Macromedia would like to thank Chris Irvine of Dark Horse
Comics, Inc. for reporting this vulnerability and for
working with us to help protect our customers' security.
Reporting Security Issues:
Macromedia is committed to addressing security issues and
providing customers with the information on how they can
protect themselves. If you identify what you believe may
be a security issue with a Macromedia product, please
send an e-mail to firstname.lastname@example.org. We will work to
appropriately address and communicate the issue.
Receiving Security Bulletins:
When Macromedia becomes aware of a security issue that we
believe significantly affects our products or customers,
we will notify customers when appropriate. Typically this
notification will be in the form of a security bulletin
explaining the issue and the response. Macromedia customers
who would like to receive notification of new security
bulletins when they are released can sign up for our
security notification service.
For additional information on security issues at Macromedia,
ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES
PROVIDED BY MACROMEDIA IN THIS BULLETIN ARE PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS
DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR
OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY
OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY)
SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES,
SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.
IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION,
DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE,
COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR
LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY
INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT
(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN
IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA
ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE
EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO
HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.
Macromedia reserves the right, from time to time, to update
the information in this document with current information.
Macromedia Support, Privacy, and Unsubscribe Information
Macromedia and your privacy:
Thank you for your continued interest in Macromedia products.
If you'd rather not receive updates about events, classes, or
products, write to email@example.com and type
'no thanks' in the Subject line. You may also change your
communication preferences by visiting this web page:
Macromedia, 600 Townsend St., San Francisco, California 94103
Go to the Top of This SecurityTracker Archive Page